My certifications and learning journey.
WIRESHARK - Complete Network Traffic Analysis Guide
Network Protocol Analyzer: Capture and inspect network packets in real-time Table of Contents What is Wireshark? Installation Basic Setup Capturing Packets Display Filters Protocol Analysis Real-World Examples Interview Questions What is Wireshark? Wireshark is the most popular packet sniffer and network analyzer. It allows you to: Capture live network traffic See exactly what’s being transmitted on network Analyze protocols (HTTP, HTTPS, DNS, FTP, etc.) Extract files from network traffic Find credentials, passwords, API keys Troubleshoot network issues Identify security threats Installation # Ubuntu/Debian sudo apt-get install wireshark # Kali Linux sudo apt-get install wireshark # macOS brew install wireshark # Verify wireshark --version # Post-installation (Linux) # Add your user to wireshark group to avoid sudo sudo usermod -aG wireshark $USER sudo chmod +x /usr/bin/dumpcap Basic Setup Running Wireshark # GUI mode (easiest) wireshark & # Capture from terminal (tshark) tshark -i eth0 # Capture and save to file tshark -i eth0 -w capture.pcap Interface Selection Click the blue shark icon to start capture Select network interface (eth0, wlan0, etc.) Click Start to begin capturing packets Capturing Packets Basic Capture 1. Select interface (Wi-Fi or Ethernet) 2. Click shark icon to start 3. Generate traffic (browse web, etc.) 4. Click stop to end capture Capture Filters (Before capture starts) # Only capture on port 80 (HTTP) port 80 # Only capture HTTP traffic tcp port 80 # Only capture to specific IP host 192.168.1.100 # Only capture from specific subnet net 192.168.1.0/24 # Exclude specific traffic not port 22 # Multiple conditions (AND) host 192.168.1.100 and port 80 # Multiple conditions (OR) port 80 or port 443 Display Filters (Most Important!) Basic Filters # Filter by protocol http https dns ftp smtp ssh telnet snmp # Filter by port tcp.port == 80 udp.port == 53 # Filter by IP address ip.src == 192.168.1.100 ip.dst == 8.8.8.8 ip.addr == 192.168.1.100 # Filter by MAC address eth.src == 00:11:22:33:44:55 eth.dst == aa:bb:cc:dd:ee:ff Intermediate Filters # HTTP requests only http.request # HTTP responses only http.response # DNS queries dns.qry.name # DNS responses dns.resp.name # SSL/TLS handshake ssl.handshake # TCP connections tcp.flags.syn == 1 (SYN packets) tcp.flags.ack == 1 (ACK packets) tcp.flags.fin == 1 (FIN packets) # Filter by protocol AND port tcp.port == 443 and ssl # Exclude certain traffic !dns and !arp Advanced Filters # Find packets with specific string in payload tcp contains "password" http contains "admin" # Find non-standard HTTP ports tcp.port == 8080 and http # Find packets larger than 1MB frame.len > 1000000 # Find packets in time range frame.time >= "2024-01-01 00:00:00" # Find HTTPS traffic ssl or tls # Find unencrypted credentials http.authorization or ftp.user # Combination filters (ip.src == 192.168.1.100 or ip.src == 192.168.1.101) and tcp.port == 80 Protocol Analysis HTTP Analysis 1. Filter: http.request 2. Look for GET/POST requests 3. Check Request URI (URL being accessed) 4. Right-click → Follow → HTTP Stream 5. See plaintext request and response # Important fields: - http.host: Target domain - http.user_agent: Browser/software - http.request.method: GET/POST/PUT/DELETE - http.request.uri: Path being accessed - http.response.code: Status (200/404/500 etc.) HTTPS/TLS Analysis 1. Filter: ssl or tls 2. Look for handshake packets 3. Check certificate information 4. Analyze cipher suites # Can see: - Server certificate - Cipher suite used - TLS version (1.0, 1.2, 1.3) - But NOT the encrypted data itself DNS Analysis 1. Filter: dns 2. Look for dns.qry.name (queries) 3. Look for dns.resp.name (responses) 4. See what domains target is accessing # Example: # Client queries: google.com # Server responds: 142.250.185.46 # Now you know Google's IP from this time FTP Analysis 1. Filter: ftp or ftp-data 2. Look for USER command 3. Look for PASS command (PASSWORD IN PLAINTEXT!) 4. Follow FTP stream to see credentials 5. See file transfers # FTP is unencrypted - passwords visible! SMTP (Email) Analysis 1. Filter: smtp 2. See MAIL FROM: sender 3. See RCPT TO: recipient 4. See email headers and content # Can extract: - Sender email - Recipient email - Subject - Full email body (if sent plaintext) Real-World Scenarios Scenario 1: Find Web Credentials 1. Start Wireshark 2. Use filter: http.user_agent 3. User accesses web application 4. Look for POST requests 5. Right-click POST → Follow → HTTP Stream 6. Can see username/password if sent as plaintext! # Why this works: HTTP has no encryption. Everything visible. Scenario 2: Identify DNS Queries 1. Filter: dns 2. Set capture on home network 3. See what websites everyone accessed 4. Analyze dns.qry.name field # Example output: # Host queries: facebook.com, youtube.com, reddit.com # Shows browsing habits even without seeing actual sites Scenario 3: Extract Files from Traffic 1. Start capture on network 2. Someone downloads file 3. Filter by file protocol (http, ftp, smb) 4. Right-click stream → Export Objects → HTTP 5. Save the downloaded file from capture! # Works for: # Images, PDFs, executables, documents Scenario 4: Detect Network Scanning 1. Wathcatcher looking for nmap scan 2. Filter: tcp.flags.syn 3. See multiple SYN packets to different ports 4. All from same source IP 5. Indicates network scan in progress Scenario 5: Certificate Inspection 1. Filter: ssl.handshake 2. User visits HTTPS website 3. Right-click packet → Wireshark → Follow → SSL 4. Expand SSL packet 5. See server certificate, issuer, expiry, public key Advanced Features Coloring Rules Right-click packet → Set Color → Choose color Or: View → Coloring Rules Color coding helps: - Red: Errors, RST packets - Green: Good traffic - Orange: Warnings - Blue: TCP - Pink: UDP Statistics Menu → Statistics → Conversations - See all IP pairs talking to each other - See data volumes - See packet counts Menu → Statistics → Protocol Hierarchy - See all protocols used - See percentage breakdown Following Streams Right-click packet → Follow → TCP Stream - See complete conversation - Both directions - Plaintext (if no encryption) Colors: - Blue: Client → Server - Red: Server → Client Interview Questions & Answers Q1: How would you find a user’s password on the network? A: ...